Dear Chief Executive/Managing Partner

Industrial espionage – mobile phones

May I bring the following points to your attention, and your colleagues', in case you are not already aware of them:

1 The location of a mobile phone can almost always be determined, wherever it is in the world, often accurate to less than 100 metres. If you are attending a meeting with your mobile, then your presence can be detected. So can the presence of anyone else who is there with their mobile.

1.1 The same applies to satellite phones.

2 Mobile phone records show who you rang and who rang you, when and for how long, as you know from reading the bills. Your associates, the people you are dealing with, can be identified.

3 Since 1 October 2007, 652 public bodies in the UK have had the right to access your mobile phone records. This includes not only the bodies you might expect – the police, the security services, HMRC and the Financial Services Authority – but also every local authority in the country, the Gaming Board for Great Britain, the Food Standards Agency, the Environment Agency, the Scottish Ambulance Service Board, ...

3.1 It must be hard for an industrial spy to find a rotten apple but, with 652 barrels to choose from in the UK alone, the difficulty has been much reduced since last October.

4 Mobile phone conversations can be bugged.

5 That is well known. More extraordinary, it is possible for an eavesdropper, without your knowing it, to turn your mobile phone into a microphone so that all conversation in the vicinity of the phone is transmitted back to the eavesdropper. Hard to believe, but it is confirmed by the FT and the BBC.

5.1 It is possible for your mobile phone to act as a microphone at meetings even if it is switched off. Again hard to believe, again it is confirmed by the FT and the BBC. It doesn't apply to all mobile phones but, with some, when you turn them off, they are not really off, just in standby mode, and the only way really to turn them off is to remove the battery.

6 When Blackberries are used to send and receive emails, those emails all pass through computers controlled by RIM (Research in Motion), the Canadian suppliers of the Blackberry. If they want to, RIM can read your emails [questionable, denied by RIM].

6.1 The same applies to any internet service provider. Many countries, the UK included, have legislation entitling the authorities to read your emails, whether sent from PCs or mobile phones.

6.2 If they find a device that they can't monitor, some countries have been known to ban it. In France, for example, MPs are banned from using Blackberries. And India are currently (10 March 2008) considering a ban on Blackberries nationwide. The reason given is that their security services find it hard to monitor Blackberry emails – either the authorities can read your emails or you can't use the service.

Is an industrial spy going to bother with any of this wizardry to tap into negotiations you would prefer to be confidential? I have no idea. But note that if someone thinks it would give them a commercial advantage, it would be illegal, but they could*.

Yours faithfully

David Moss

* Robert Winnett, 21 March 2008, Daily Telegraph, 'Revealed: the dirty tricks of rogue traders':

A hedge fund based in London set up a "dirty-tricks unit" to manipulate share prices and get illicit information on companies in an attempt to make millions on the stock market, an insider has revealed.

As the official hunt began for the rogue traders who tried to bring down Britain's biggest mortgage lender, HBOS, The Daily Telegraph can reveal a whistle-blower's account of how a multi-billion pound fund allegedly used illegal tactics to drive down stock prices.

Private detectives were allegedly employed to hack into executives' emails and telephone records ...

1 August 2010, BBC: UAE 'moves to suspend some Blackberry services':

Blackberry maker Research in Motion (RIM) has not yet commented on the latest UAE reports, which come amid a row dating back to 2007 about allowing TRA [the UAE telecoms regulator] access to the code for RIM's encrypted networks so it can monitor email and other data.

 

Nic Fildes, 5 August 2010, The Times, Indonesia joins threat to ban BlackBerrys:

Indonesia has become the latest country to put pressure on Research in Motion after threatening to ban the use of BlackBerry devices unless the Canadian company sets up local servers ... RIM has been in the spotlight since the United Arab Emirates said that it would ban the instant messaging and e-mail functions used by an estimated 750,000 users in the Gulf state as it was unhappy with the way that the data is encrypted and sent to the technology company’s offshore servers.

 

Jessi Tabalba, 5 August 2010, The Guardian, Saudi BlackBerry messaging ban: security or snooping?:

 

Nic Fildes, 7 August 2010, The Times, BlackBerry ‘near deal to open messages to Saudis’:

The makers of BlackBerry mobile phones appear to have backed down in the face of demands from Saudi Arabia to allow the state to monitor messages sent on its devices ... Saudi Arabia switched off the signal for four hours yesterday citing security concerns over BlackBerry’s encrypted message service, which cannot be read by third parties ... Blackberry’s manufacturer Research In Motion (RIM) stores encrypted data in its home country, Canada, which the Saudis say does not meet their regulatory criteria or licensing conditions ... But today Saudi officials said the two sides had reached a preliminary deal on granting access to users’ data that will avert a ban on the phone’s messenger service in the kingdom.

 

P.C., 9 August 2010, The Economist, Spies, secrets and smart-phones:

... He then went on to say how "mind-boggling" are the capabilities of America's National Security Agency and its British counterpart, GCHQ. To this blogger, that sounded like: "Yes of course we can hack Skype calls and all the rest, but we have to pretend we can't".

 

Bill Ray, 8 October 2010, The Register, UAE unbans BlackBerrys:

The United Arab Emirates has cancelled the planned ban on RIM's BlackBerry service, saying that it no longer represents a threat to national security, but not explaining why.

 

Bill Ray, 6 December 2010, The Register, BlackBerry to Indian gov: Ban us, you have to ban Skype too:

RIM don't seem any more aware of what's going to happen than the rest of us. The Canadian company rarely comments on governmental negotiations, other than reiterating that it likes to comply with the law, but now RIM feels it necessary to remind us that the Indian government has previously said that BlackBerry users shouldn't be singled out (thus any ban must also apply to, say, Skype) and that lawful intercept of BlackBerry communications can easily be carried out at the end user's premises (the customer's BlackBerry Enterprise Server).

 

Josh Halliday, 18 April 2011, The Guardian, UAE to tighten BlackBerry restrictions:

BlackBerry users in the United Arab Emirates will soon be unable to send emails and messages without fear of government snooping, under tighter restrictions on internet communication in the Gulf state.

 

Josh Halliday and Saeed Shah, 30 August 2011, The Guardian, Pakistan to ban encryption software:

Internet service providers will be required to inform authorities if customers use virtual private networks in government crackdown ...

 

Millions of internet users in Pakistan will be unable to send emails and messages without fear of government snooping after authorities banned the use of encryption software.

 

A legal notice sent to all internet providers (ISPs) by the Pakistan Telecommunications Authority, seen by the Guardian, orders the ISPs to inform authorities if any of their customers are using virtual private networks (VPNs) to browse the web.

 

Bill Ray, 7 September 2011, The Register, South Africa joins the call for BlackBerry messaging keys:

South Africa has joined the call for access to the BlackBerry Messaging service, quoting the usual security concerns and pointing out that the UK plans much the same thing.

 

Anna Leach, 28 October 2011, The Register, RIM backdoor access for Indian probers:

RIM has opened a monitoring centre in Mumbai to help the Indian government sip data from Blackberry users there, said the Wall Street Journal today, quoting unnamed sources.

 

Ryan Gallagher and Rajeev Syal, 30 October 2011, Observer, Met police using surveillance system to monitor mobile phones:

Britain's largest police force is operating covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area.

 

The surveillance system has been procured by the Metropolitan police from Leeds-based company Datong plc, which counts the US Secret Service, the Ministry of Defence and regimes in the Middle East among its customers. Strictly classified under government protocol as "Listed X", it can emit a signal over an area of up to an estimated 10 sq km, forcing hundreds of mobile phones per minute to release their unique IMSI and IMEI identity codes, which can be used to track a person's movements in real time.

 

Bill Ray, 31 October 2011, The Register, Scotland Yard trackers operate fake mobile base stations:

... Tracking people is a good deal easier. Phones broadcast an identifying number (the TIMSI) which can't immediately be linked to an individual but can be used to track movements in an entirely passive way. The lack of identity actually makes the process (legally) easier, as under the current legislation the privacy implications disappear when there's no identity.

 

The police ... can go back to the network operator later and link the TIMSI to a real IMSI [see GSM Security]. That will generally link to a physical person, who might then have to explain what his/her phone was doing at the time in question.